The present invention relates generally to information security, and more specifically, to method and system utilizing quantum authentication.
Cryptography is concerned with the secure transmission of information between two parties. Unconditional secure key distribution and unconditional secure authentication are well recognized as the two fundamentals that the strength of any cryptographic system depends on.
Referring to FIG. 1, when a classical communication channel 102 is established between a sender (“Alice”) and a receiver (“Bob”), respectively, as widely used in the art, there is always a possibility that a third party (“Eve”) may eavesdrop on the channel 102. In classical cryptography Alice typically uses a cryptographic key 104 to encrypt the text prior to transmission over the channel 102 to Bob, so that the information encrypted with the key 106 remains secure even if the channel is public. In order for Bob to decrypt the message, however, the key 104 must be communicated. Thus, to securely share private information, Alice and Bob must already have shared private information, namely the cryptographic key 104. A basic problem of cryptography, therefore, is how to initially establish a private key between Alice and Bob, and how to ensure that such a key distribution technique is secure against Eve. If Alice and Bob communicate solely through classical messages, it is impossible for them to generate a certifiably cryptographic key due to the possible passive eavesdropping.
It has been proven that Vernam cipher, i.e., one-time-pad, is the only unconditional secure encryption algorithm. However, this encryption requires that the cryptographic key must truly be random, at least equal to the message length, and strictly used only once. The reason why it can only be used one-time is that the repeated use of the same key is prone to so-called ‘paper-and-pencil’ attack or running key attack. In short, the symmetric encryption uses a binary XOR operation to encrypt and decrypt messages. The XOR operation will automatically be eliminated once the key is reused:                Clear text A and B are encrypted by a key C        E(A)=A XOR C, E(B)=B XOR C;        E(A) XOR E(B)=(A XOR C) XOR (B XOR C)=A XOR B.        
Therefore, the key C is eliminated from the operation. Although A and B may be time-consuming to find out using computers, they may be easily figured out manually by using paper and pencil.
While the Vernam cipher does provide provable information-theoretic security on public channels, it is not widely used mainly due to difficulty in distributing one-time-pad, and that every bit of information to be ciphered requires one bit in the one-time-pad.
Quantum key distribution (QKD) provides an alternative for unconditional key distribution. Using techniques that take advantage of the inviolability of the laws of quantum mechanics and provably secure public discussion protocols. Eve can neither “tap” the key transmissions owing to the indivisibility of quanta nor copy them faithfully because of the quantum “no-cloning” theorem. QKD resists interception and retransmission by an eavesdropper because the result of a measurement cannot be thought of as revealing a “possessed value” of a quantum state. A unique aspect of quantum cryptography is that the Heisenberg uncertainty principle ensures that if Eve attempts to intercept and measure Alice's quantum transmissions, her activities must produce an irreversible change in the quantum states that are retransmitted to Bob. These changes will introduce an error rate having a high number of anomalies in the transmissions between Alice and Bob, allowing them to detect the attempted eavesdropping. In particular, from the observed error rate Alice and Bob can put an upper bound on any partial knowledge that an eavesdropper may have acquired by monitoring their transmissions. This bound allows the intended users to apply conventional information theoretic techniques by public discussion to distill an error-free, secret key.
The general principles of quantum cryptography were first set forth by Bennett and Brassard in their article “Quantum Cryptography: Public key distribution and coin tossing,” Proceedings of the International Conference on Computers, Systems and Signal Processing, Bangalore, India, 1984, pp. 175-179 (IEEE, New York, 1984). This quantum key distribution (QKD) is generally known as “BB84 protocol”. Exemplary QKD systems are also described in U.S. Pat. No. 5,307,410 to Bennett, and in the article by C. H. Bennett entitled “Quantum Cryptography Using Any Two Non-Orthogonal States”, Physical Review Letters 68(21) 3121-3124 (1992), all three documents are incorporated herein by reference.
FIG. 2 illustrates a four-state scheme as described in BB84 protocol for quantum key distribution in which the polarization of a single photon is used for encoding cryptographic values.
Referring to FIG. 2(a), two pairs of states 202, 204 are used for encoding cryptographic values, with each pair non-orthogonal to the other pair. The two states within a pair are orthogonal to each other. Pairs of orthogonal states are referred to as a basis. In the example shown, two non-orthogonal polarization bases (rectilinear basis and diagonal basis) are used to encode the “0” and “1”. The state pairs used in the rectilinear basis 202 are vertical (0°, ↑) 206 and horizontal (90°, →) 208, the diagonal basis 204 includes a 45° () state 210 and a 135° () state 212. Bits “0” 214 and “1” 216 are encoded as Eigen state (↑, →) in rectilinear basis 202 and Eigen state (, ) in diagonal basis 204, respectively. Other orthogonal states include circular basis of left- and right-handedness, or phase shift scheme. In a phase shift scheme, bits “0” and “1” can be encoded as (0, π) in basis 1 and (π/2, 3π/2) in basis 2, respectively.
The BB84 protocol is based on the uncertainty principle that in a single quantum system two sets of mutually non-orthogonal bases cannot be measured with certainty at the same time. A given orthogonal basis (e.g., the diagonal basis) can always be represented by a superposition of another basis non-orthogonal to it (e.g., the rectilinear basis). A measurement that can reliably distinguish a given basis would inevitably destroy the superposition state of the given basis (that is, non-orthogonal basis) and cause the given basis to collapse. More generally, a measurement that can partially distinguish a given basis would partially destroy the superposition state of the given basis and the state after measurement approaches statistical mixture of the given basis. Referring to FIG. 2(b), to begin the quantum key distribution process, Alice generates random bit values 220 and random bases (rectilinear basis or diagonal basis) 222 and then prepares a photon polarization state 224 (e.g. (↑, →, , )) depending both on the random bit value and random basis. So for example a “0” is encoded in the rectilinear basis (+) as a vertical polarization state (↑), and a “1” is encoded in the diagonal basis (x) as a 135° () state. Alice transmits a single photon in the state specified to Bob, but does not tell anyone the polarization of the photons she has transmitted. Bob receives the photons and measures their polarization along either in a rectilinear or diagonal basis with randomly selected and substantially equal probability 226. Bob records his chosen basis and his measurement results 228. Thus, the state of the photons which are in the Eigen state of diagonal basis cannot be distinguished when rectilinear basis are used at Bob 240 244, and the state of the photons which are in the Eigen state of rectilinear basis cannot be distinguished when diagonal basis are used at Bob 234, 238. These measurements will produce an error with a probability of 50%.
After Bob has measured all the photons, he communicates with Alice over the public classical channel. Alice broadcasts the basis each photon was sent in, and Bob, the basis each was measured in. They both discard photon measurements (bits) 234, 238, 240 and 244 where Bob used a different basis, which will be half on average, leaving half the bits 232, 236, 242 and 246 as a shared key 230.
Alice and Bob then estimate whether Eve has eavesdropped upon the key distribution. To do this, Alice and Bob must agree upon a maximum tolerable error rate. Errors can occur due to the intrinsic noise of the quantum channel and due to eavesdropping attack by a third party. Alice and Bob choose randomly a subset of photons m from the sequence of photons that have been transmitted and measured on the same basis. For each of the m photons, Bob announces publicly his measurement result. Alice informs Bob whether his result is the same as what she had originally sent. They both then compute the error rate of the m photons and, since the measurement results of the m photons have been discussed publicly, the polarization data of the m photons are discarded. If the computed error rate is higher than the agreed upon tolerable error rate, Alice and Bob infer that substantial eavesdropping has occurred. If the error rate is acceptably small, Alice and Bob adopt the remaining polarizations, or some algebraic combination of their values, as secret bits of a shared secret key, interpreting horizontal (↑) or 45° () polarized photons as binary 0's and vertical (→) or 135° () photons as binary 1's.
This protocol is secure for key distribution based on two assumptions:                1. unconditional secure authentication is achieved before key distribution starts;        2. only single photon pulses are allowed.        
To prevent an impersonation attack, the public channel messages must be authenticated or otherwise protected against alternation or substitution. Authentication is the process that ensures that the parties communicating with each other over a communication link are who they say they are. In a QKD system, Alice and Bob must be sure they are talking to each other and that there is no man-in-the-middle impersonating Bob or Alice. This problem is addressed by authentication, which is classical and depends on the security of the key on which authentication is based. Unconditionally secure authentication protocols exist, so that if the key used is unconditionally secure the authentication can be made unconditionally secure as well. If the security is compromised, Alice and Bob must recheck that they are indeed communicating with each other and not to an eavesdropper in between. They can repeatedly perform authentication if they share keys they can absolutely trust.
The authentication protocol is also the only guarantee that Eve cannot change the data in a classical communication between Alice and Bob.
The authentication procedure works as follows. The initial key for authentication is preinstalled by a trusted party. The QKD system is capable of producing keys, or key regeneration, and delivering enough fresh keys for authentication purposes. The security of the new key depends on the security of the QKD protocol.
However, existing authentication mechanisms may be based on mathematical difficulties, which are not unconditionally secure. If the traditional QKD cryptography is equal to classical conditional security for authentication plus quantum unconditional security for key distribution, the overall security level (authentication plus key distribution) is conditionally secure.
Meanwhile, without guaranteed single photon pulses, QKD voluntarily allows the so-called beam split attack because Eve splits a single photon from multi-photon pulses or blocks all single photon pulses and only allows multi-photon pulses transmitted to Bob, she can then accurately know the key bits by measuring her stored photons after she learns the measurement types from the public channel by which Bob publicly tells Alice his measurement type for each pulse.
Moreover, most practical QKD systems to date employ a multi-photon source, such as a laser, and attenuate multi-photon pulses to achieve single-photon quantum signals to a level 0.1 or 0.2 photon per pulse. The photon distribution is governed by Poisson distribution, so there are pulses containing more than one photon. Effort is made to suppress or discard the multi-photon signals generated by the single-photon source, but one photon-per-bit key distribution is impractical. In other words, in order to avoid transmitting more than one photon, the attenuator must be set such that about 50-90% of the attempted pulses generate zero photons. An attack on the multiple-photon pulses can prove very effective for Eve if she can take advantage of the large channel loss. Thus, the ability to detect Eve changing the efficiency of the delivery of single versus multi-photon pulses from Alice to Bob is the crucial element in maintaining system security in the presence of loss.
US Publication 2003/0169880 describes a quantum cryptography key distribution system for sharing a secret key between a transmitter and a receiver site. An unbalanced interferometer system in the transmitter site has a Mach-Zehnder interferometer switch with a phase modulator while the receiver site records photon arrival time slots. The system utilizes a whole arrival of photons in the receiver site and dispenses with any phase modulator in the receiver site. However, this method still depends on the classical authentication before key distribution.
US Publication 2007/0071244 describes a quantum key distribution station having the capability of forming decoy signals randomly interspersed with quantum signals as part of a QKD system. The QKD station includes a polarization-independent high-speed optical switch adapted for use as a variable optical attenuator. The high-speed optical switch has a first attenuation level that results in first outgoing optical signals in the form of quantum signals having a mean photon number μQ, and a second attenuation level that results in second outgoing optical signals as decoy signals having a mean photon number PD. This system, however, requires complex optical switch.
Therefore, there is a need for a system and a method having an overall unconditional secure quantum key distribution including an unconditional secure authentication though quantum channel and unconditional key distribution. There is a further need for an overall unconditional secure quantum key distribution not be limited to a single photon source.